OpenID and phishing

Friday

19Jan2007

Friday, January 19, 2007 at 10:10AM

Ben Laurie writes about OpenID being a phishing heaven. He says

“I had hoped that by constantly bringing this up the OpenID people might take some step to deal with the issue”

There have been, since October 2006, a set of defined OpenID security profiles. The lion part of the profiles have been incorporated into the core spec.

I believe the OpenID protocol partners (OP, RP, and user) can avoid the bulk of phishing issues by holding each other to certain pre-defined profiles.

But, I could be wrong, of course. Let’s say the security profiles don’t solve phishing issues.

However, the profiles are there to exactly handle such issues, and the opportunity to discuss them have been around for over three months…

Hans |

1 Comment |

1 Reference |

openid

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Source: OpenID: Phishing Heaven

Reader Comments (1)

You are not wrong. Profiles are one way; the CardSpace Identity Selector, Hardt’s Sxipper(and scores of less cool sounding password manager plugins) another way; Verified by Visa/VeriSign is another way, these being merely socially accepted/understood(?) profiles.

Ben is mixing apples with oranges, worse, expecting a solution in a wrong place. It is easier to be critical than to be correct - maybe that is why Scott and David are conciliatorily asking Ben to participate!!

January 20, 2007 |

Krishna

Post a New Comment

Enter your information below to add a new comment.

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.